To provide for notification procedures as it relates to a
breach of unsecured protected health information discovered by LSUHSC-S or
their Business Associate as prescribed in the Health Information Technology and
Clinical Health Act (HITECH) of the American Recovery and Reinvestment Act
(ARRA) of 2009.

This policy applies to all LSUHSC-Shreveport
health care facilities and providers, including but not limited to hospitals,
physician clinics, labs, etc which are referred to in this policy as LSUHSC-S.
Applies to all unsecured protected health information including its PHI used by
its Business Associates.† Unsecured PHI
can be in any form, including electronic, paper, or oral.

Definition:

Breaches are defined asthe unauthorized acquisition, access, use, or disclosure of
unsecured protected health information which compromises the security or
privacy of such information, and poses significant risk of harm to the
individual, except where an unauthorized person to who such information
is disclosed would not reasonably have been able to retain such
information.† A breach is not considered
to have occurred if the health information has been de-identified

Policy:

1.†† LSUHSC-S will make
every reasonable effort to provide for the security of their †††††

††††† Patientís PHI.

2.†† Any detection of a
breach shall be reported immediately to the LSUHSC-S Privacy†††††††††† Officer

Examples of possible breaches of PHI include, but are
not limited to:

∑Accessing and reading medical records out of
curiosity

∑Telling a family member about the diagnosis of
another family member or neighbor

∑Faxing† a
patientís information to the wrong outside agency

∑Improper disposal of patient information in the
trashĖ Patient information must be shredded

3.†† To be considered
reportable a data breach must meet certain elements. The following questions
will be considered to determine if a reportable breach has occurred:

a)Did the incident involve impermissible use or
disclosure of PHI under the HIPAA Privacy Rule?

b)Did the incident involve unsecuredPHI?

c)Did the incident involve a breach?

d)Was that breach intentional or unintentional in
relation to acquisition, access, or use of unsecured PHI?

e)Was that breach an inadvertent disclosure of unsecured
PHI?

f)Was the person(s) to whom the PHI disclosed reasonably
able to retain that PHI?

g)Did the breach pose risk of significant harm?

4.†† The Privacy Officer
with the Information Security Officer will determine if the PHI was unsecured
when the potential breach incident occurred.†
If it is determined that the PHI was unsecured, then further review will
be needed to determine if a reportable breach has occurred.†

5.†† The Privacy Office
must determine if the PHI that was breached was actually acquired, accessed, used
or disclosed by a member of the facilityís workforce or Business Associate and
if that the employee or Business Associate used or disclosed the† PHI in a manner that is not permitted by the
HIPAA Privacy rule.†

A breach is not reportable if the following criteria
are met:

∑The person who originally accessed the PHI was
authorized to do so; and

∑The PHI was disclosed to another person
authorized to access the PHI

∑The PHI was not further used or disclosed in a
way that violates the HIPAA Privacy rule.

6.The
Privacy and Information Security offices must determine if anyone was able to
access and retain the PHI involved in the breach.† If the PHI was not able to be retained, then
no further action is required.† If the
PHI was able to be retained, then further review is required.

7.The
Privacy and Information Security offices, with the assistance of other
departments, shall conduct a risk assessment to determine the level of risk in
relation to the privacy/security breach.†
If the breach is found to be significant, and all other analysis
indicates that the breach is a reportable event, then the Privacy Officer, or
his/her designee, shall

move forward with
notification procedures.† If the breach
is determined to not †††††††constitute
risk of harm to the patient(s), then no further action other than documenting
the analysis is required.† Any analysis
conducted must be documented and kept on file for a minimum of ten years.

8.LSUHSC-S
will notify any individual(s) impacted by a reportable breach as soon as possible
without reasonable delay, but in no case later than sixty days of the discovery
of the reportable breach. Written notification will be sent first-class mail.

If there is reason
to believe that the patientís information is in imminent danger of ††being misused, LSUHSC-S will attempt to
contact the patient via phone in addition to sending a written notification.

a.If
the mailed breach notice is returned indicating that the last known address was
insufficient or inaccurate, an attempt will be made to contact the patient via
the last known phone number of the patient.†
If the phone number is found to be inaccurate or no longer in service,
the Privacy Officer or designee will attempt to locate the patient via contact
persons listed by the patient, taking care not to further breach PHI.† Every effort will be made to contact the
patient via these methods. Documentation of attempts to locate the patient will
be documented in the disclosure breach log.

b.If
any one particular breach has ten or more individuals who cannot be contacted
via their contact information listed in LSUHSC-S system, every reasonable
attempt will be taken to update the information.† However, if after a reasonable period of time
it becomes evident that such information will not be able to be updated for ten
or more individuals impacted by the breach, then the Privacy Office must
determine which alternate method of notification (e.g., posting on the
facilityís website or notification through major media) will be used to
reasonably reach those whose PHI has been breached.† This notification must occur as soon as
possible, but no greater than sixty days from the discovery of the breach.

9.†† In any instance of a
breach that involves 500 or more patients, the Privacy Officer will contact HHS
and coordinate with the LSUHSC-S Information Services Department media
notification.

10.If the law
enforcement official provides a statement in writing that the delay is
necessary for a specific period of time because notification would impede a
criminal investigation or cause damage to national security, the LSUHSC-S is
required to delay the notification for the time period specified by the
official.

11.Business Associates
are also responsible for the breach notification rules.† Business Associates must notify LSUHSC-S of
the breach. It is then LSUHSC-Sís responsibility to follow through on notifying
the individuals or HHS.

12.All reportable
breaches will be entered into the LSUHSC-S disclosure log.† No later than sixty days after the end of
each calendar year, the information related to reportable breaches will be
entered into the HHS website.